Cybersecurity researchers from Zscaler ThreatLabz, in collaboration with TibCERT, have uncovered two sophisticated cyberattack campaigns targeting the Tibetan community in anticipation of the Dalai Lama’s 90th birthday in July 2025.
The campaigns, dubbed Operation GhostChat and Operation PhantomPrayers, deployed advanced malware including Ghost RAT and PhantomNet backdoors through multi-stage infection chains that exploited legitimate software vulnerabilities.
The threat actors capitalized on heightened online activity surrounding the Dalai Lama’s milestone birthday by compromising legitimate websites and creating convincing replicas.
In Operation GhostChat, attackers replaced a legitimate link on tibetfund.org with a malicious redirect to thedalailama90.niccenter[.]net, which closely mimicked the original site.
The fake webpage offered a backdoored version of Element, a popular encrypted messaging application, hosted at theelement. niccenter[.]net.
Operation PhantomPrayers employed a different approach, using the subdomain hhthedalailama90.niccenter[.]net to distribute malicious software masquerading as “special prayer check-in” software.
The application, built with PyQT5 and packaged using PyInstaller, displayed an interactive map showing fabricated check-ins from users worldwide to enhance the social engineering deception.
Both campaigns utilized sophisticated DLL sideloading techniques to bypass security measures.
In Operation GhostChat, the legitimate Element.exe application was configured to automatically load a malicious ffmpeg.dll file, which served as the initial stage loader.
The attack employed several evasion techniques, including mapping a fresh copy of ntdll.dll from disk to bypass API hooks and utilizing low-level Windows APIs, such as NtCreateSection and RtlCreateUserProcess, for code injection.
The malware demonstrated advanced persistence mechanisms, creating registry entries under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and utilizing a shared memory section-based code injection technique to inject shellcode into legitimate Windows processes, such as ImagingDevices.exe.
The final payloads included Ghost RAT, which communicated with command-and-control servers at 104.234.15[.]90:19999 using a custom “KuGou” packet header, and PhantomNet backdoor connecting to 45.154.12[.]93:2233.
Researchers attribute these campaigns with high confidence to China-nexus APT groups based on the victimology targeting the Tibetan community, the specific malware variants used, and the deployment of tailored tactics, techniques, and procedures (TTPs).
Both Ghost RAT and PhantomNet have been previously associated with Chinese state-sponsored cyber espionage operations, with PhantomNet linked to the TA428 APT group.
The campaigns highlight the continued targeting of politically sensitive communities through sophisticated technical means combined with culturally relevant social engineering tactics.
| MD5 hash | SHA1 hash | SHA256 hash | Filename | Description |
|---|---|---|---|---|
| 42d83a46250f788eef80ff090d9d6c87 | ff9fddb016ec8062180c77297d478b26d65a7a40 | 0ad4835662b485f3a1d0702f945f1a3cf17e0a5d75579bea165c19afd1f8ea00 | TBElement.zip | Malicious ZIP archive |
| 5b63a01a0b3f6e06dd67b42ad4f18266 | 71f09721792d3a4f1ea61d1f3664e5a503c447b2 | d896953447088e5dc9e4b7b5e9fb82bcb8eb7d4f6f0315b5874b6d4b0484bd69 | Element.exe | Legitimate executables vulnerable to DLL sideloading. |
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…